User account for system protection or recovery

ABSTRACT

In one embodiment, a data processing system includes a guest account that is configured to assist in the protection and recovery of the data processing system when it is lost or stolen. In one embodiment, the guest account can allow Internet access and can include a web browser to allow the guest, who might be a thief, to use the system to browse the Internet. While such use occurs, the system can perform actions specified by an authorized user of the system, and such actions can include determining a location of the system and transmitting the location to the authorized user, erasing data on the system, displaying a message, capturing an image, etc.

This application claims the benefit of the filing date, under 35 U.S.C.§119(e), of U.S. Provisional Application No. 61/433,113 filed on Jan.14, 2011.

BACKGROUND OF THE INVENTION

The present disclosure relates to methods and apparatuses for protectingor recovering data processing systems, such as a laptop or a cellulartelephone that has been lost or stolen

Existing methods for protecting data processing systems includeencryption of storage devices or encryption of information stored onstorage devices. For example, information on a hard drive or flashmemory can be encrypted in order to protect the content from discoveryby those not intended to see the content. The encryption can be of aportion of the data on a storage device or the entire storage device tothe extent that is possible. Another technique which is known in the artfor protecting a system is the use of a remotely controlled erasemechanism which can erase data on a stolen or lost system in response toa command sent to the system through a network, such as the Internet ora cellular telephone network. A software product known as “Undercover,”which is available at orbicule.com, can be used to take pictures of auser of a lost or stolen system.

SUMMARY OF THE DESCRIPTION

The present invention provides various embodiments for protecting lostor stolen systems. For example, in one embodiment, a method forprotecting a lost or stolen system can include receiving an input tostart up or wake up a data processing system and receiving an input touse a guest account log in option which is presented in response to theinput to start up or wake up the system. The method can further includepresenting a user interface of a guest account on the data processingsystem and receiving at least one signal from another data processingsystem which causes an action to be performed while the guest account isused. This action can be specified by an authorized user of the dataprocessing system, such as the owner of the system which has been lostor stolen from the owner of the data processing system. The action caninclude at least one of: (a) determining information which indicates alocation of the data processing system and transmitting the locationinformation to the authorized user; or (b) erasing data on the datastorage device of the data processing system; or (c) displaying amessage which requests that the data processing system be returned tothe authorized user; or (d) capturing an image of the user of the dataprocessing system; or (e) locking the user (e.g. the thief) from logginginto a guest account of the authorized user; or (f) any combination oftwo or more of these actions.

The location or information which indicates a location can be derivedfrom a network connection (e.g. a WiFi hotspot database) or a satellitepositioning system (e.g. a GPS receiver) or a cellular wireless radioconnection, etc. In one embodiment, the method can be performed in asystem which includes two partitions on a storage device, such as amagnetic hard drive or a flash memory or other storage devices. Onepartition can include an operating system for the authorized user'saccount, and a second partition, from which a guest account is executed,includes a second operating system stored on the second partition of thedevice. In one embodiment, the second partition can include recoverysoftware which is configured to perform at least one of repairing thefirst partition of the storage device or reinstalling the firstoperating system on the first partition or restoring data files of theauthorized user on the first partition, wherein the restoration can beperformed from a backup of the data files.

A method according to another embodiment of the present invention caninclude receiving an input to start up or wake up a data processingsystem and receiving an input to use a guest account log in option whichis presented in response to the input to start up or wake up the system,and presenting a user interface of the guest account on the dataprocessing system and performing an action at the data processingsystem, wherein the action is specified by an authorized user and isenabled by the use of the guest account which automatically provides anetwork access through at least one network connection. In oneembodiment, in this method, the network access includes Internet accessand the network access cannot be disabled when using the guest account.The actions which are specified by the authorized user can be any one ofthe actions described herein and, in one embodiment, these actions canbe taken or performed automatically in response to the use of the guestaccount without having to receive a signal from another data processingsystem. This embodiment can automatically provide a networkfunctionality to allow actions to be performed, although such networkfunctionality is not required in at least certain embodiments.

A method according to another embodiment can cause the system to switch,in response to a notification or other signal, into a restricted guestaccount during the use of a lost or stolen system. In one embodiment,this method can include receiving and responding to user inputs as ifthe data processing system is being used by an authorized user, and thenreceiving, through a network connection, a notification that representsor results from an indication that the use of the system is notauthorized. In response to this notification, the system can switch intoa restricted guest account. In one embodiment, this can include a forcedsave of user data and system state to a non-volatile storage (e.g. amagnetic hard drive or a flash memory) and then forcing a rebooting intoa restricted guest account. While in the guest account, the system canperform at least one action specified by an authorized user, such as anyone of the actions described herein (e.g. determining a location of thesystem, erasing data on the system, displaying a message which requeststhe system to be returned, capturing an image of the user, locking theuser from logging into a user account of the authorized user, etc.). Theswitching, which occurs in response to the notification, can include arebooting of the data processing system into the restricted guestaccount, and the restricted guest account can allow use of a web browserand provide access to the Internet. In one embodiment, the restrictedguest account may appear as a normal user account, such as a useraccount provided for an authorized user of the system. For example, allof the applications on the system may be available for use, includingweb browsers, PDF viewers, word processing software, number processingsoftware, photo processing software, etc. This can tend to encourage theperson who has obtained the lost or stolen system to use the system,which can then permit the system to be discovered or otherwise toperform the actions specified by the authorized user while the guestaccount is being used.

A method according to another embodiment of the present invention cancause the system to operate in one way if data on the system is notencrypted and to operate another way if data on the system is encrypted.If data is encrypted in the system, then the system can be operated in amanner to provide a higher level of protection than other methodsdescribed herein. For example, a method according to this embodiment canboot into a restricted guest account in response to determining that thedata processing system has an encrypted storage device and in responseto a user's selection of a guest account. The restricted guest accountcan provide a web browser and Internet access and network access can beenabled automatically to allow use of the web browser and Internetaccess. In one implementation of this embodiment, the network accesscannot be disabled by the user of the guest account. The method canfurther include receiving at least one signal from another dataprocessing system, which signal causes an action to be performed whilethe guest account is used. This action can be used to protect data onthe data processing system or to recover the data processing system andcan be specified by an authorized user of the data processing systemwhich may be lost or stolen. The method can also include locking out theuser of the guest account from an authorized user's account unless theauthorized user's account is enabled with the entry of a security codewhich may be different than a log in code or password.

Other methods and other embodiments are described herein, includingcomputer readable or machine readable tangible storage medium which canprovide non-transitory storage of computer programs, which when executedcan perform any one of the methods described herein, and the presentinvention also includes data processing systems, including one or moresystems which can perform any one of the methods described herein.

The above summary does not include an exhaustive list of all aspects ofthe present invention. It is contemplated that the invention includesall systems and methods that can be practiced from all suitablecombinations of the various aspects summarized above, and also thosedisclosed in the Detailed Description below.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings in which likereferences indicate similar elements.

FIG. 1 shows a flowchart which depicts a method according to oneembodiment of the present invention.

FIG. 2 shows an example of a data processing system which can be usedwith one or more of the embodiments of the present invention.

FIG. 3A shows an example of a user interface for a log in windowaccording to one embodiment of the present invention.

FIG. 3B shows an example of a user interface, such as a window, for alog in after a wake up from a sleep state, for example.

FIG. 4 shows an example of a plurality of data processing systems whichmay be connected together through a network, such as the Internet, toperform one or more of the methods described herein.

FIG. 5 is a flowchart which shows a method according to an embodiment ofthe present invention.

FIG. 6 depicts software components and data stored on a storage device,such as a magnetic hard drive or a flash memory or other form of storagedevices.

FIG. 7 is a flowchart which illustrates another method according to anembodiment of the present invention.

FIG. 8 is another flowchart which shows another method according to anembodiment of the present invention.

FIG. 9 is another flowchart which shows another method according to anembodiment of the present invention.

FIG. 10 shows an example of a data processing system which may be usedwith any of the embodiments described herein.

DETAILED DESCRIPTION

Various embodiments and aspects of the inventions will be described withreference to details discussed below, and the accompanying drawings willillustrate the various embodiments. The following description anddrawings are illustrative of the invention and are not to be construedas limiting the invention. Numerous specific details are described toprovide a thorough understanding of various embodiments of the presentinvention. However, in certain instances, well-known or conventionaldetails are not described in order to provide a concise discussion ofembodiments of the present inventions.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin conjunction with the embodiment can be included in at least oneembodiment of the invention. The appearances of the phrase “in oneembodiment” in various places in the specification do not necessarilyall refer to the same embodiment. The processes depicted in the figuresthat follow are performed by processing logic that comprises hardware(e.g. circuitry, dedicated logic, etc.), software, or a combination ofboth. Although the processes are described below in terms of somesequential operations, it should be appreciated that some of theoperations described may be performed in a different order. Moreover,some operations may be performed in parallel rather than sequentially.

In one embodiment, a data processing system can include a guest accountthat is configured to assist in the protection or recovery or both theprotection and recovery of the data processing system when, for example,it is stolen or lost. In one embodiment, the guest account can allowInternet access and can include a web browser to allow the guest, whomight be a thief, to use the system to browse the Internet. Furthermore,the guest account can be configured so that the user of the guestaccount cannot disable network access or Internet access. While such useby the guest account occurs, the system can perform actions specified byan authorized user of the system, and such actions can includedetermining a location of the system and transmitting the location tothe authorized user, or erasing data on the system, or displaying amessage to the user of the guest account, or capturing an image of theuser of the guest account, etc. The guest account can normally beentered into after startup of the data processing system (e.g. bootingthe data processing system) or upon waking up the system from a sleep orother low power state. During use of the guest account, the dataprocessing system which provides the guest account can be incommunication with one or more other systems, such as a server systemthat can provide a notification, such as a push notification, to asystem that has been lost or stolen and this push notification can begenerated in response to the use of another data processing system, usedby the authorized user, who has requested the server to transmit thepush notification to the system of the authorized user which has beenlost or stolen. In response to the notification from the server, thedata processing system can, in one embodiment, lock the authorizeduser's user accounts such that a new password may be required to accessthose authorized user accounts, etc. Further details are provided belowin conjunction with the accompanying figures.

The method shown in FIG. 1 can be employed to protect a data processingsystem by enabling a guest account to perform options or actions whichare enabled by the use of the guest account. FIG. 2 shows an example ofsuch a data processing system which includes a guest account 223 as wellas an authorized user's account 203. Information with respect to thesetwo accounts can be stored in memory 201 which can be one or more of amagnetic hard drive, flash memory, a semiconductor memory such as DRAM,etc. This memory can be coupled to a processing system 205 which caninclude one or more processors in a data processing system such as acomputer, a smart phone, or an entertainment system, or other consumerelectronic device. The data processing system can also include a networkinterface 207 which is coupled to the processing system 205 and to thememory 201 to allow the data processing system to communicate with anetwork, such as the Internet 209. Memory 201 can also include anoperating system 225, such as the Macintosh operating system OS X fromApple Inc. or the Windows operating system from Microsoft. Memory 201can also include a network stack or a plurality of network stacks 227 toallow the system to communicate through the Internet or other network.Memory 201 can also include a daemon for the lost or stolen system whichcan operate in the background as a daemon process to monitornotifications from another data processing system such as a serversystem 403 shown in FIG. 4 or another data processing system 405 whichcan be operated by an authorized user seeking to recover or protect thelost or stolen system of the authorized user.

The system shown in FIG. 2 can respond to an input received in operation101 of FIG. 1 to either start up the system or to wake up the systemfrom sleep. In response to this input, the system can present a userinterface which allows a user to log in as a guest on the guest account223. This input, received in operation 103 shown in FIG. 1, can occurthrough a variety of different user interfaces, including the userinterfaces shown in FIGS. 3A and 3B. The user interface shown in FIG. 3Amay be a window 301 shown in a desktop or other background on a displayof a data processing system, such as the system shown in FIG. 2. Window301 can include log in button 309 and can include a list of authorizedusers, such as authorized users 303B and 305B, each associated with aradio button, such as radio button 303A and radio button 305A, allowingthe user to select between different user accounts and then to selectthe log in button 309 to cause the system to log that user in. If apassword is required, a data entry field for the password can bepresented within window 301 or a follow-on window which appears afterselecting the log in button 309. A guest account button 307 is alsoshown within window 301 and allows a user who does not want to or cannotlog in as an authorized user to log in as a guest user by selecting theguest account button 307. Window 301 may appear in response to bootingup the system or may appear in response to waking up the system from asleep state.

FIG. 3B shows an alternative user interface to present a log in window321; the example shown in FIG. 3B may occur if the user has instituted ascreen lock in which the system goes to sleep and the display turns offafter a period of time, and the user can awake the system from thissleep state and in response to such awakening, the system presentswindow 321. In this case, the system went asleep with the authorizeduser Bill having been using the system and so the log in window showsBill as the last authorized user and allows Bill to enter Bill'spassword into data entry field 325 and then Bill can log in by selectingthe log in button 331. If other authorized users want to log into theiraccounts, they need to select button 327 which can present a list ofother authorized users and any one of those authorized users can beselected and a password entered for that authorized user and then thelog in button 331 can be selected to log in as that authorized user.Window 321 also includes a guest account button 329 which can be used toaccess the guest account, such as any one of the guest accountsdescribed herein.

Returning to FIG. 1, it can be seen that in response to receiving aninput to using the guest account in operation 103, the system canpresent, in operation 105, the user interface for the guest account.This can include the display of a normal or apparently normal desktopfor the guest account and one or more applications available to the userof the guest account. In a typical implementation, this can include aweb browser application, a PDF viewer, a text editing application, aphoto editing application, an email application, and other applicationscommonly provided for a guest account. In addition, the system can beenabled to provide network access, such as network access through awireless medium or wired medium (e.g. Ethernet wired access or WiFiwireless access or cellular telephone access, etc.). In one embodiment,the user of the guest account cannot disable network access and Internetaccess and hence the system has the capability of communicating withother systems, such as server system 403 or the data processing system405 which can be operated by the authorized user to transmit a signaleither directly to the lost or stolen system or to the lost or stolensystem through the server 403 as described further below. In effect, theuse of the guest account enables and facilitates the protection and/orrecovery of the system because the guest account provides network accesswhich allows the server or the authorized user or both to communicatewith the system that is lost or stolen. In operation 107, the systemwhich is lost or stolen can receive at least one signal from anotherdata processing system, such as a server system 403 or another dataprocessing system, such as system 405, which can be operated by anauthorized user. In one embodiment, this at least one signal can causethe system which is lost or stolen to take an action or to perform anaction while the guest account is being used. This action can be any ofa plurality of possible actions, including, for example, determininginformation which indicates a location of the data processing system andtransmitting that information to the authorized user; or erasing data ona data storage device of the data processing system which was lost orstolen; or displaying a message on a display device of the system whichis lost or stolen, which message requests that the system be returned tothe authorized user, or capturing an image of the user of the systemwhich is lost or stolen; or locking the user of the guest account fromlogging into a user account of an authorized user of the system which islost or stolen; or any combination of two or more of these actions, etc.

When the at least one action includes determining information whichindicates the location of the system, the system can determine theinformation from one of a network connection, such as a wired Internetconnection or a wireless connection, such as a WiFi hotspot which can beidentified by name or other identifier and then associated through adatabase with a location for that WiFi hotspot or other WiFi location;alternatively, the information about location can be provided by asatellite positioning system such as a GPS (global positioning system)receiver, or can be provided by information about location derived froma wireless cellular telephone radio connection. This locationinformation can be transmitted to the authorized user through a serversystem, such as server system 403, or directly to the authorized userwho is using another data processing system, such as the data processingsystem 405 which can be used by an authorized user. When the actionwhich is performed includes capturing an image of the user of the guestaccount, the system which captures the image can do so through a cameracoupled to the system which is lost or stolen and transmit that image tothe authorized user either directly to the authorized user or throughanother data processing system, such as the server 403 as shown in FIG.4.

In one embodiment of the method shown in FIG. 1, and implemented asshown by the system of FIG. 2, the user account which is authorized canbe executed through a first operating system which is stored on a firstpartition of a data storage device, and the guest account is executedthrough a second operating system stored on a second partition of thedata storage device. In this implementation, the data files of theauthorized user are not accessible to the user of the guest account, andthis provides an added form of protection for data of the authorizeduser's accounts. In one embodiment, the second partition can includerecovery software which is configured to perform at least one ofrepairing the first partition of the data storage device or reinstallingthe first operating system on the first partition, or restoring datafiles of the authorized user on the first partition, through backups ofthe data files previously obtained for the authorized user. FIG. 6 showsan example of a data storage device, such as a magnetic hard drive orflash memory or other types of non-volatile storage devices which caninclude multiple partitions. A further description of FIG. 6 will beprovided in conjunction with the method shown in FIG. 8, and it will beappreciated that the multiple partition approach may be employed withany one of the embodiments described herein.

If the lost or stolen system is recovered by the authorized user, thesystem can implement a technique to allow the one or more authorizedusers to exit the guest account mode, particularly if the system islocked in the guest account mode and will not permit entry into anauthorized user's account. In one embodiment, the guest account may beexited by requesting the system to log into an authorized user's accountand entering the standard password for that account. In otherembodiments, the password required to exit the guest account may be anewly established password established by the authorized user when theauthorized user reported that the system was lost or stolen. In thiscase, the user may need to enter a different password, which isdifferent than the password used to log in for that authorized user,when exiting the guest account. A further discussion of the process ofexiting the guest account will be provided below in conjunction withFIG. 9.

The example of how an authorized user can recover or protect a lost orstolen system is provided in conjunction with FIG. 4. In the system 401shown in FIG. 4, an authorized user can use a system 405 to communicatethrough a network, such as the Internet 409, either directly orindirectly with the lost or stolen system 407. The lost or stolen system407 has an enabled network access set up in the guest account on thesystem 407 which allows the system 407 to receive messages from eitherthe data processing system 405 or the server system 403 and to transmitdata to one or both of the systems 403 and 405. The server system 403may be provided by a service provider or the company which sold system407 to the authorized user who is now using system 405 while system 407is lost or stolen. The authorized user can use system 405 to send amessage to server 403 notifying the server 403 that the authorizeduser's system 407 has been lost or stolen. In turn, the server system403 can send a push notification or other notification to the system 407which is received by the daemon 229 on the system which is lost orstolen. In response to the receipt of this notification by daemon 229,the daemon can perform the one or more actions, such as the one or moreactions referred to in operation 107 and described herein.

FIG. 5 shows an example of another method according to an embodiment ofthe present invention. In this method, the lost or stolen dataprocessing system can perform the operations without receiving anysignal from a server or other system. For example, the lost or stolensystem can perform the one or more actions automatically in response toactivation or use of the guest account. In this embodiment, the systemcan receive an input to start up or wake up in operation 501, and inresponse to this input, the system can present a log in user interfacewith a guest account option (such as the user interfaces shown in FIGS.3A or 3B). A user can then select the guest account option which causesthe system, in operation 503, to receive the input to use the guestaccount, and in response to that input, the system can present a userinterface, in operation 505, for the guest account. In one embodiment,the guest account can provide a web browser with network access which isautomatically enabled as described elsewhere in this disclosure. In oneembodiment, the network access cannot be disabled by the user of theguest account in order to guarantee that the lost or stolen system cancommunicate with another system through a network, such as the Internet.The user interface of the guest account can include other applicationsoftware, such as PDF viewers, text editors, photo editors, emailprograms, etc. as described in this application. In operation 507, thelost or stolen system can then perform one or more actions specified byan authorized user, and these actions are enabled by the use of theguest account and are triggered by the use of the guest account in oneembodiment of the method shown in FIG. 5. These one or more actions canbe any one or a combination of actions described herein, including, forexample, determining information which indicates a location of the dataprocessing system and transmitting that information to the authorizeduser, or erasing data on a data storage device of the data processingsystem, or displaying a message which requests that the data processingsystem be returned to the authorized user, or capturing an image of theuser of the data processing system while the guest account is beingused, or locking the user of the guest account from logging into a useraccount of the authorized user, etc. The guest account can, in oneembodiment of FIG. 5, be the guest account shown in FIG. 2 or can be therestricted guest account shown in FIG. 6, which is described furtherbelow. Moreover, this restricted guest account can be on a partition onthe data storage device which is separate from the main partition forthe one or more authorized user accounts of the data processing system.While the method shown in FIG. 5 does not require a signal from anothersystem such as a server, such signal could still be used to causeadditional actions to be performed in response to a signal from a serveror from a system controlled by an authorized user of the lost or stolensystem.

FIG. 6 shows an example of a multiple partition storage device which canbe used in at least some of the embodiments of the present invention.Memory 601 can represent a magnetic hard drive, or a flash memory, orother non-volatile storage device or a volatile memory such as DRAM or acombination of volatile and non-volatile memory. In one implementation,memory 601 is a magnetic hard drive or a flash memory which ispartitioned into distinct volumes, each represented by a partition. Mainpartition 603 includes an operating system (OS) 607 and a daemon 609 anddata for one or more authorized user accounts 611 and also includes oneor more user applications, such as a web browser, PDF viewer, photoviewer, photo editor, email applications, text editing applications,number editing applications (e.g. spreadsheets), presentationpreparation applications (e.g. Keynote), etc. Operating system 607 maybe a full version of the operating system deployed on the dataprocessing system while a recovery operating system 621 may be a limitedor reduced size operating system which does not include all of theinstallation packages normally associated with a full operating system;for example, the recovery operating system may not include printerdrivers and other accessory software but can include the capability ofdownloading printer drivers, etc. and other accessory software when in arecovery or repair mode. Daemon 609, like daemon 625, can be computersoftware which is configured to operate in one or more of the methodsdescribed herein to protect or recover the system by allowingcommunication with an external system such as the server 403 or anotherdata processing system, such as a data processing system operated by anauthorized user, such as the system 405 shown in FIG. 4. The data forthe authorized user accounts 611 can include user names, passwords, andother information commonly associated with the types of data stored fora user account. For example, this data 611 can include, for eachauthorized user, a user name, a user log in password, a screen log inpassword, a data encryption password, and other data setting orconfiguring the system for a particular authorized user as is known inthe art. Such data can be maintained for each authorized user and thesystem may have multiple authorized users rather than just a singleauthorized user. Main partition 603 can include a security measure 615which can be one or both of encryption or a lock on logging in for anyauthorized user account. In one embodiment, the security measure can bea full disk encryption or an encryption of a portion of the data storedin main partition 603. In another embodiment, security measure 615 canbe a lock on a log in for any authorized user account; this lock can beimplemented as described below in conjunction with operation 809 of FIG.8, and can require that a new recovery password be entered into thesystem in order to cause the system to exit from the guest account modeas described further below. In this case, the lock implemented throughsecurity measure 615 can require a recovery mode password or a recoverypassword to be entered into the system to allow it to exit the guestaccount and allow the use of the one or more authorized user accounts onthe system.

Recovery partition 605 can include a recovery operating system 621,described above, as well as disk repair software, and an OS reinstallsoftware, and a data restore software. This is shown as component 623and all of these elements within component 623 may be provided or asubset of these elements may be provided. The disk repair softwareallows the system to boot off of the recovery partition through therecovery OS 621 and then attempt to repair the disk or other storagedevice by performing conventional disk repair or storage device repairmechanisms (e.g. performing a disk utility operation or running the“FSCK” command, etc.). The operating system reinstall element incomponent 623 can include the ability to reinstall the operating systemon the main partition 603 by, for example, reinstalling the operatingsystem through a network connection, etc. The data restore element incomponent 623 can include the ability to restore a user's data andapplications through a previously performed backup operation as is knownin the art. Also within the recovery partition 605 is daemon software625 which, like daemon 609, allows the data processing system shown inFIG. 6, which can be the lost or stolen system, to communicate with oneor more other systems, such as the server 403 shown in FIG. 4 or thesystem 405 shown in FIG. 4, etc. The communication can include thereceipt of a push notification or other messages from the server orother system and it can include transmitting messages to other systems,such as transmitting the location of the lost or stolen system toanother system, such as the server 403 or a system 405 used by anauthorized user who is attempting to recover the lost or stolen system.These notifications or messages or other data can be transmitted throughnetwork interface 625 of the system shown in FIG. 6 which is coupled toone or more networks 637 which can be the Internet. Network interface635 is also coupled to a processing system 633 which in turn is coupledto memory 601. Processing system 633 can be one or more microprocessorseach with one or more cores as is well known in the art. FIG. 10 showsan example of a data processing system which includes one or moreprocessors along with memory, including a non-volatile memory 1007 whichcan be memory 601 in one embodiment.

Recovery partition 605 can also include a web browser 627 which can bethe same as the web browser which is part of user applications 613,although because it is stored on a separate partition, it is a separatecopy of that web browser if it is the same type of web browser. Therecovery partition 605 can also, in one embodiment, include othersoftware applications, such as PDF viewer, an email program, and othersoftware applications described in conjunction with user applications613. Recovery partition 605 also includes data for a guest account 629.This data can include some of the same types of data that a normalauthorized user account can have, such as a user account name andconfiguration data for configuring the guest account. The system shownin FIG. 6 is an example of how a lost or stolen system can be protectedaccording to one embodiment, and this system may be used with any one ofthe methods described herein, including the methods shown in FIGS. 1, 5,7, 8, and 9.

FIG. 7 shows an example of a method according to one embodiment of theinvention which includes a switch into a restricted guest account inresponse to a notification, such as a notification received by daemon229 or a notification received by daemon 609. This method can beperformed when a data processing system has no log in password or autolog in has been set up on the system and there is no screen lock set upon the system which requires a password to be entered after the systemhas gone to sleep. In this case, a thief can find the data processingsystem and begin to use it as if the thief is the authorized userbecause no passwords are required to be entered in order to gain accessto the system. Hence, in operation 701, the system receives and respondsto user inputs as if an authorized user is operating the system, even ifthe system is lost or stolen. In operation 703, the system can receive,through a network connection (e.g. network interface 207 or networkinterface 635), a notification, such as a push notification, thatrepresents or results from an indication that the use of the system isnot authorized. In one embodiment, this indication can originate fromone or more of the authorized users of the lost or stolen system whohave sent a message to server 403 which in turn causes the transmissionof a push notification to the lost or stolen system which is received inoperation 703. In response to the notification from operation 703, thesystem automatically switches into a restricted guest account. This can,in one implementation, be in the form of a fast user switching operationwithout rebooting the system. In another implementation, the switchingcan include a rebooting of the system into a guest account, and in yetanother implementation, the switching can include rebooting the systeminto a guest account executed from a recovery partition or otherpartition which is separate from a partition from which the authorizeduser account executes. In one embodiment, prior to rebooting the system,if rebooting is used, the system can force a saving of all user data andthe user state (e.g. state of each open application and its windows,etc.) into a non-volatile storage in a manner which is similar to ahibernation entry operation or sleep entry operation in which all userdata in DRAM is saved to a non-volatile storage along with the state ofthe system (e.g. all of its open windows, the positions of the windows,etc.) as is known in the art. In this way, the system can save user datathat has not been saved to a hard drive and can save the stateinformation of the system to allow the authorized user to resume use ofthe system from the point at which it was lost or stolen. The saving ofuser data and system state in this manner can be performed beforeforcing a reboot into the guest account. The guest account can, as withother embodiments described herein, allow the use of a web browser andprovide access to the Internet. In one embodiment, the user of the guestaccount cannot disable network access and hence the system can always beguaranteed access to the Internet to the extent it is available (e.g. tothe extent that a WiFi hotspot is available or a cellular telephoneconnection is available, etc.).

In operation 707, the lost or stolen system can perform, while in theguest account, at least one action specified by an authorized user. Thisaction may be specified before the system is lost or stolen (e.g. theauthorized user enters a preference indicating those actions, whichpreference is saved on the system and retrieved when the guest accountis used) or the actions can be specified remotely by the authorized userin the context of a system shown, for example, in FIG. 4 in which anauthorized user instructs the lost or stolen system, either directly orindirectly, of the actions required. The actions can be any one ofdetermining information that indicates a location of the data processingsystem and transmitting that information to the authorized user, orerasing data on a data storage device of the data processing system, ordisplaying a message which requests that the data processing system bereturned to the authorized user; or capturing an image of the user ofthe data processing system, or locking the user from logging into a useraccount of the authorized system, or any combination of two or more ofthese actions.

The method shown in FIG. 7 may be employed with a system such as thatshown in FIG. 6 or with a system such as that shown in FIG. 2. If thesystem of FIG. 6 is used, then the authorized user's account can beexecuted through a first operating system stored on a first partition ona non-volatile storage device and the restricted guest account isexecuted through a second operating system stored on a second partitionon the non-volatile storage device. In this configuration, the files ofthe authorized user or users are not accessible to the user of therestricted guest account as the first partition can be hidden from theuser of the restricted guest account. In one embodiment, the secondpartition can include recovery software as shown and described relativeto FIG. 6, such as any one of the elements of components 623.

FIG. 8 shows an example of another method according to one embodiment ofthe present invention. The method shown in FIG. 8 can be performed withthe system shown in FIG. 6 when a main partition includes a securitymeasure in which data has been encrypted, such as an encrypted storagedevice which employs a full disk encryption. In this method, the system,such as the system shown in FIG. 6, when implementing the method of FIG.8, does not have to wait for a push notification in order to takeaction; rather, the use of a guest account can cause the system to takeaction immediately and in response to that use, reboot into a guestaccount partition and perform the one or more actions such as thoseactions described relative to operation 707 or operation 507 of FIGS. 7and 5, respectively. These actions can be performed after rebooting intothe guest account partition in operation 813. The method of FIG. 8 canbegin in operation 801 in which the system determines, at start up orwake up, whether the system has an encrypted storage device, such as ahard disk or a flash memory that has some level of disk encryption, suchas a full disk encryption or full flash memory encryption. If the systemdoes not have such an encrypted storage device, then the method proceedsto operation 803 in which the use of the system is allowed as shown inFIG. 7. In this case, the system can still switch into the guest accountmode after receiving a notification, such as a push notificationdescribed herein. However, if operation 801 determines the system has anencrypted storage device, then the system determines next in operation805 whether or not a guest account is selected. If it is not, the systemproceeds to operation 807 in which the authorized user account isenabled if a valid authorized user password is entered in a passworddata entry field. On the other hand, if a guest account is selected,then, in operation 809, the system can apply a lock to prevent bootinginto the user account on the main partition and can save, in operation811, user data and state information, if any, in DRAM to a non-volatilestorage device. Operation 811 is similar to the operations which occurwhen a system hibernates or goes to sleep and before doing so, unsaveduser data and the state of applications and the processing system is allsaved to non-volatile storage so that the authorized user can return tothe state of the system (e.g., which applications are launched and open,which windows are open, the position of the windows, etc.) when the userrecovers the lost or stolen system. Then in operation 813, the systemreboots into the guest account which can be on a separate partitionwhich includes a web browser and which includes an automatically enablednetwork access which permits use of the web browser to browse theInternet. Also, as noted in FIG. 6, additional software may be providedfor the guest account so that the guest account appears to be arelatively normal user account allowing use of the web browser and othercommon software applications in the guest account.

The lock which is applied in operation 809 can, in one embodiment,require the entry of a previously stored recovery password (stored priorto the system becoming lost or stolen) which can be different than thenormal log in password used by the authorized user. Alternatively, thisrecovery password can be created by the authorized user when theauthorized user instructs a server, such as a push notification server,to take certain actions with respect to a lost or stolen system. Forexample, the user of the system 405 shown in FIG. 4 can provide arecovery password to the server 403 which can then provide that recoverypassword to the lost or stolen system when that system is incommunication with the server through, for example, the Internet.

FIG. 9 shows an example of how a recovery password can be used when anauthorized user account is locked. It will be appreciated that in oneembodiment all authorized user accounts are locked in response tooperation 809 rather than a selected group of authorized user accounts.The method of FIG. 9 can be performed after the guest account has beenactivated or is in use. In operation 901, the guest account receives arequest to log in as an authorized user. The system, in operation 903,determines whether the authorized user account is locked; this lock canbe the result of operation 809 which is described herein or could be theresult of an optional operation in the method of FIG. 7, etc. If theauthorized user account is not locked, then processing proceeds tooperation 905 in which a normal log in is allowed with the previouslystored password of the particular authorized user. If the password whichis entered is valid, then use of the authorized user account is allowedas in operation 905. On the other hand, if it is determined that theauthorized user account is locked in operation 903, then processingproceeds to operation 907 in which the system requires a recoverypassword to be entered into a password data entry field in order to gainaccess to a particular authorized user account. In one embodiment, thisrecovery password can be created by an authorized user after the systemis lost or stolen. The authorized user can, using the system 405 shownin FIG. 4, for example, create this recovery password and transmit thatrecovery password either directly to system 407, which is the lost orstolen system, or indirectly to that system through the server system403 as shown in FIG. 4. Alternatively, the recovery password couldpreviously have been stored on the system prior to being lost or stolenand the authorized user can merely remember and use that recoverypassword after recovering the lost or stolen system.

Any one of the methods described herein can be implemented on a varietyof different data processing devices, including general purpose computersystems, special purpose computer systems, etc. For example, the dataprocessing systems which may use any one of the methods described hereinmay include a desktop computer or a laptop computer or a tablet computeror a smart phone, or a cellular telephone, or a personal digitalassistant (PDA), an embedded electronic device or a consumer electronicdevice. FIG. 10 shows one example of a typical data processing systemwhich may be used with the present invention. Note that while FIG. 10illustrates the various components of a data processing system, such asa computer system, it is not intended to represent any particulararchitecture or manner of interconnecting the components as such detailsare not germane to the present invention. It will also be appreciatedthat other types of data processing systems which have fewer componentsthan shown or more components than shown in FIG. 10 may also be usedwith the present invention. The data processing system of FIG. 10 may bea Macintosh computer or iPad or iPod Touch from Apple Inc. of Cupertino,Calif. As shown in FIG. 10, the data processing system 1001 includes oneor more buses 1009 which serve to interconnect the various components ofthe system. One or more processors 1003 are coupled to the one or morebuses 1009 as is known in the art. Memory 1005 may be DRAM ornon-volatile RAM or may be flash memory or other types of tangiblememory or a combination of such memories. This memory is coupled to theone or more buses 1009 using techniques known in the art. The dataprocessing system 1001 can also include non-volatile memory 1007 whichmay be a hard disk drive or a flash memory or a magnetic optical driveor magnetic memory or an optical drive or other types of memory systemswhich maintain data even after power is removed from the system. Thenon-volatile memory 1007 and the memory 1005 are both coupled to the oneor more buses 1009 using known interfaces and connection techniques. Adisplay controller 1011 is coupled to the one or more buses 1009 inorder to receive display data to be displayed on a display device 1013which can display any one of the user interface features or embodimentsdescribed herein. The display device 1013 can include an integratedtouch input to provide a touch screen. The data processing system 1001can also include one or more input/output (I/O) controllers 1015 whichprovide interfaces for one or more I/O devices, such as one or moremice, touch screens, touch pads, joysticks, and other input devicesincluding those known in the art and output devices (e.g. speakers). Theinput/output devices 1017 are coupled through one or more I/Ocontrollers 1015 as is known in the art. While FIG. 10 shows that thenon-volatile memory 1007 and the memory 1005 are coupled to the one ormore buses directly rather than through a network interface, it will beappreciated that the data processing system may utilize a non-volatilememory which is remote from the system, such as a network storage devicewhich is coupled to the data processing system through a networkinterface such as a modem or Ethernet interface or wireless interface,such as a wireless WiFi transceiver or a wireless cellular telephonetransceiver or a combination of such transceivers. As is known in theart, the one or more buses 1009 may include one or more bridges orcontrollers or adapters to interconnect between various buses. In oneembodiment, the I/O controller 1015 includes a USB adapter forcontrolling USB peripherals and can include I/O controllers that cancontrol an Ethernet port or a wireless transceiver or combination ofwireless transceivers. It will be apparent from this description thataspects of the present invention may be embodied, at least in part, insoftware. That is, the techniques and methods described herein may becarried out in a data processing system in response to its processor(s)executing a sequence of instructions contained in a memory, such as thememory 1005 or the non-volatile memory 1007 or a combination of suchmemories and each of these memories is a form of a machine readable,tangible storage medium. In various embodiments, hardwired circuitry maybe used in combination with software instructions to implement thepresent invention. Thus the techniques are not limited to any specificcombination of hardware circuitry and software nor to any particularsource for the instructions executed by the data processing system.

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will be evidentthat various modifications may be made thereto without departing fromthe broader spirit and scope of the invention as set forth in thefollowing claims. The specification and drawings are, accordingly, to beregarded in an illustrative sense rather than a restrictive sense.

1. A machine readable tangible storage medium storing executableinstructions that cause, when executed, a system to perform a methodcomprising: receiving an input to start-up or wake-up a data processingsystem; receiving an input to use a guest account log in option which ispresented in response to the input to start-up or wake-up; presenting auser interface of a guest account on the data processing system;receiving at least one signal from another data processing system, theat least one signal causing an action to be performed while the guestaccount is used and the action being specified by an authorized user ofthe data processing system.
 2. The medium as in claim 1 wherein theauthorized user selects the action and wherein the at least one actionis one of: (a) determining information which indicates a location of thedata processing system and transmitting the information to theauthorized user; (b) erasing data on a data storage device of the dataprocessing system; (c) displaying a message which requests that the dataprocessing system be returned to the authorized user; (d) capturing animage of the user of the data processing system; (e) locking the userfrom logging into a user account of the authorized user; or (f) anycombination of two or more of these actions.
 3. The medium as in claim 2wherein when the at least one action includes determining informationwhich indicates the location, the data processing system determines theinformation from one of a network connection or a satellite positioningsystem or a cellular wireless radio connection and wherein the dataprocessing system transmits the information to the authorized userthrough the another data processing system which is available to theauthorized user; and wherein when the at least one action includescapturing the image of the user, the data processing system capturingthe image through a camera coupled to the data processing system andtransmitting the image to the authorized user through the another dataprocessing system.
 4. The medium as in claim 3 wherein the authorizeduser's account is executed through a first operating system (OS) storedon a first partition on the data storage device and the guest account isexecuted through a second OS stored on a second partition on the datastorage device and wherein data files of the authorized user are notaccessible to the user of the guest account.
 5. The medium as in claim 4wherein the second partition comprises recovery software configured toperform at least one of (a) repairing the first partition of the datastorage device; (b) reinstalling the first OS on the first partition; or(c) restoring data files of the authorized user on the first partition,the restoring being performed from a backup of the data files.
 6. Themedium as in claim 3, wherein the method further comprises: generatingdata to present a user interface, in the guest account mode, that isconfigured to allow the authorized user to exit the guest account modeand to operate in the authorized user's user account.
 7. The medium asin claim 3 wherein the guest account allows the user of the guestaccount to use a web browser to access the Internet and wherein the atleast one signal is received after the authorized user indicates thedata processing system is lost or stolen and wherein the at least onesignal specifies the at least one action and wherein the at least onesignal is received as a result of the user using the guest account touse the web browser.
 8. A machine readable tangible storage mediumstoring executable instructions that cause, when executed, a system toperform a method comprising: receiving and responding to one or moreinputs of a user of a data processing system; receiving, through anetwork connection, a notification wherein the notification representsan indication that the use of the data processing system is notauthorized; switching, in response to the notification, the dataprocessing system into a restricted guest account; performing, while inthe restricted guest account, at least one action specified by anauthorized user of the data processing system.
 9. The medium as in claim8 wherein the at least one action is one of: (a) determining informationthat indicates a location of the data processing system and transmittingthe information to the authorized user; (b) erasing data on a datastorage device of the data processing system; (c) displaying a messagewhich requests that the data processing system be returned to theauthorized user; (d) capturing an image of the user of the dataprocessing system; (e) locking the user from logging into a user accountof the authorized user; or (f) any combination of two or more of theseactions.
 10. The medium as in claim 9 wherein the switching, in responseto the notification, comprises rebooting the data processing system intothe restricted guest account and wherein the restricted guest accountallows a use of a web browser and provides access to the Internet. 11.The medium as in claim 10 wherein the switching further comprises savinguser data, in one or more open applications, to a non-volatile datastorage device before rebooting the data processing system.
 12. Themedium as in claim 11 wherein the saving of user data also saves stateinformation including the operating state of the one or more openapplications such that the authorized user can return to the operatingstate, with the user data saved, that existed before the data processingsystem was lost or stolen.
 13. The medium as in claim 10 wherein theauthorized user's account is executed through a first operating system(OS) stored on a first partition on a non-volatile data storage deviceand the restricted guest account is executed through a second OS storedon a second partition on the non-volatile data storage device andwherein files of the authorized user are not accessible to the user ofthe restricted guest account.
 14. The medium as in claim 13 wherein thesecond partition comprises recovery software configured to perform atleast one of (a) repairing the first partition; (b) reinstalling thefirst OS for the authorized user; or (c) restoring data files of theauthorized user on the first partition, the restoring being performedfrom a backup of the data.
 15. The medium as in claim 9 wherein thenotification is generated in response to the authorized user indicatingthat the data processing system is lost or stolen and wherein the dataprocessing system is not protected by requiring a log in password.
 16. Amachine readable tangible storage medium storing executable instructionsthat cause, when executed, a system to perform a method comprising:determining, at start-up or wake-up of a data processing system, whetherthe data processing system has an encrypted storage device; booting intoa restricted guest account in response to determining the dataprocessing system has an encrypted storage device and in response to auser's selection of the guest account, the restricted guest accountproviding a web browser and Internet access; receiving at least onesignal from another data processing system, the at least one signalcausing an action to be performed, while the guest account is used, toprotect data on the data processing system or recover the dataprocessing system, and wherein the action is specified by an authorizeduser of the data processing system.
 17. The medium as in claim 16wherein a user of the restricted guest account is locked out of anauthorized user's account unless the authorized user's account isenabled with the entry of a security code.
 18. A machine implementedmethod comprising: receiving an input to start-up or wake-up a dataprocessing system; receiving an input to use a guest account log inoption which is presented in response to the input to start-up orwake-up; presenting a user interface of a guest account on the dataprocessing system; receiving at least one signal from another dataprocessing system, the at least one signal causing an action to beperformed while the guest account is used and the action being specifiedby an authorized user of the data processing system.
 19. The method asin claim 18 wherein the at least one action is one of: (a) determininginformation which indicates a location of the data processing system andtransmitting the information to the authorized user; (b) erasing data ona data storage device of the data processing system; (c) displaying amessage which requests that the data processing system be returned tothe authorized user; (d) capturing an image of the user of the dataprocessing system; (e) locking the user from logging into a user accountof the authorized user; or (f) any combination of two or more of theseactions.
 20. The method as in claim 19 wherein the authorized user'saccount is executed through a first operating system (OS) stored on afirst partition of the data storage device and the guest account isexecuted through a second OS stored on a second partition of the datastorage device and wherein data files of the authorized user are notaccessible to the user of the guest account.
 21. The method as in claim20 wherein the second partition comprises recovery software configuredto perform at least one of (a) repairing, when authorized by theauthorized user, the first partition of the data storage device; or (b)reinstalling, when requested by the authorized user, the first OS on thefirst partition; or (c) restoring, when requested by the authorizeduser, data files of the authorized user on the first partition, therestoring being performed from a backup of the data files; and whereinthe method further comprises: generating data to present a userinterface, in the guest account, that is configured to allow theauthorized user to exit the guest account and to log in to theauthorized user's user account.
 22. A machine implemented methodcomprising: receiving and responding to one or more inputs of a user ofa data processing system; receiving, through a network connection, anotification, wherein the notification represents an indication that theuse of the data processing system is not authorized; switching, inresponse to the notification, the data processing system into arestricted guest account; performing, while in the restricted guestaccount, at least one action specified by an authorized user of the dataprocessing system.
 23. The method as in claim 22 wherein the at leastone action is one of: (a) determining information that indicates alocation of the data processing system and transmitting the informationto the authorized user; (b) erasing data on a data storage device of thedata processing system; (c) displaying a message which requests that thedata processing system be returned to the authorized user; (d) capturingan image of the user of the data processing system; (e) locking the userfrom logging into a user account of the authorized user; or (f) anycombination of two or more of these actions.
 24. The method as in claim23 wherein the switching, in response to the notification, comprisesrebooting the data processing system into the restricted guest accountand wherein the restricted guest account allows a use of a web browserand provides access to the Internet; and wherein the switching furthercomprises saving user data, in one or more open applications, to anon-volatile data storage device before rebooting the data processingsystem; and wherein the saving of user data also saves state informationincluding the operating state of the one or more open applications suchthat the authorized user can return to the operating state, with theuser data saved, that existed before the data processing system was lostor stolen; and wherein the authorized user's account is executed througha first operating system (OS) stored on a first partition on anon-volatile data storage device and the restricted guest account isexecuted through a second OS stored on a second partition on thenon-volatile data storage device and wherein files of the authorizeduser are not accessible to the user of the restricted guest account. 25.A machine readable tangible storage medium storing executableinstructions that cause, when executed, a system to perform a methodcomprising: receiving an input to start-up or wake-up a data processingsystem; receiving an input to use a guest account log in option which ispresented in response to the input to start-up or wake-up; presenting auser interface of a guest account on the data processing system;performing an action at the data processing system, wherein the actionis specified by an authorized user and is enabled by use of the guestaccount which automatically provides network access through at least onenetwork connection.
 26. The medium as in claim 25 wherein the networkaccess includes Internet access and wherein the network access cannot bedisabled when using the guest account.